Umit Assistant

Clippit Everybody knows Clippit, the animated assistant that features Microsoft Office. It would be nice to have one a animated assistant to take care of helping users in some situations, and I'm sure that it is going to help Umit on every new feature that it might have in the future, showing to the user how to better analyse the scan results that he got, suggesting things that he can do with the result, and even what that result means. There are a lot of things that can be done with it. The student willing to apply for this idea, must take care of making it extensible in a manner that makes it easy to be used and integrated to future projects. Also, it is a good idea to support assistant switch, letting users switch the assistent from (for example) a animated pill to a animated HUB (??). Volunteers for the animations and designs are very welcome to help our studnet on this task! And, of course, we're going to give you the proper credits for your work on our website and at the Credits window of Umit.

Nmap Wrapper for Python

The wrapper intention is to provide a module from which you can create an Nmap instance, set the desired options and targets and run it without the need of executing it in another process. The wrapper must allow access of Nmap funcionalities like estimated time to finish the scan and runtime user interaction.

User's almost won't note any change with this wrapper. This is a feature that is going to make Nmap and Umit developers life's easier, while adding new features or even integrating with future Nmap options and functionalities.

NSE Facilitator

Last year we have a student working on this feature, and we get far with it. But still, we have a lot of work to make that couldn't be done in only one Summer. The goal of NSE Facilitator is to provide a good NSE experience for average users, who doesn't know NSE much but still need to use it to get their job done. And our work, is to help them have their job done quickly. We need some ideas on how to improve NSE, and ease its use for the average user. Students willing to apply for this project, are expected to interact with the plugins project, as they're closely related projects and one can benefit or injure the other project. If you're willing to work on a proposal for this project, take a look at where we currently are with NSE Facilitator at https://svn.umitproject.org/svnroot/umit/branch/NSEFacilitator .

Nmap OS fingerprint database system

The Nmap OS fingerprint database is a set of signatures which represents many TCP/IP stack implementations of operating systems. How this system works is not easy to understand, but Nmap always has a good documentation of its features. In this case the student that wish apply this idea must be familiar with the Nmap OS detect documentation[0].

This idea consists on a solution for two main problems:

1. Nmap OS fingerprint system fails in some cases[1], but this is not because the database data, this happen because the design of the fingerprint matching algorithm. So, using a selective OS matching algorithm with the nmap-os-db file it's possible solve these problems without changes in Nmap code base.

2. Nmap results of its OS fingerprint system only can analysed from user statically. It'll interesting if users can choose the signature fields and algorithm to use when perform OS matching.

The choose of the OS matching algorithm depends on the format of the input, in this case a signature from nmap-os-db file. If you want to convert this alphanumeric data into numeric values you will amplify the possibilities of OS matching algorithm that can be used.

References

• [0] http://nmap.org/osdetect/
• [1] http://www.phocean.net/?p=14

UmitMapper new features

Idea it's add new features to Topology Network as called UmitMapper. Some topics that can be explored:

1. How represent graphically the existence of services in hosts.
2. Which others visualization techniques can be used to make visualization better.
3. What more kind of information can be expressed by the map.

Look around for other network visualization tools[1,2] and see what they have, and what they don't have.

References

• [0] http://www.dca.ufrn.br/~joaomedeiros/radialnet/
• [1] http://networkviz.sourceforge.net/
• [2] http://linkanalysis.wlv.ac.uk/

Vulnerabilities database system

The Umit classification for vulnerability score of hosts is based only on the number of ports that Nmap found. This can be improved using each port information like its service and version. To do this task is interesting create a relational database SQLite[0] compatible and an API to easily access database information (e.g. functions that return a vulnerabilities set give an service and version). Not just the services can be search in database but the operating system detected by Nmap too. Good database candidates are the National Vulnerability Database[1] and The Open Source Vulnerability Database[2].

Beyond the database application interface would be good if the tool proposed has a user interface that give to the user the option of search for vulnerabilities and view them with a friendly form.

Look around some vulnerability search engines to see what they have, and what they don't have.

There are something in development. Please check: http://trac.umitproject.org/browser/nvdb

References

• [0] http://www.sqlite.org/
• [1] http://nvd.nist.gov/
• [2] http://osvdb.org/

UMPA link-layer support

UMPA[0] is a library to manipulate packets over network. Basically, user can modify packets on each layer of OSI model. In current state of projet, link-layer (second layer) is not supported. An eperimental branch[1] adds this functionality but it still needs some improvements and testing. Porting to Windows and MacOSX is essential (in current state, only Linux is supported). Link-layer support should be also fully covered by unit-tests to avoid occasional bugs. In the end, the branch should be merged to main branch.

References

• [0] http://umpa.umitproject.org
• [1] http://trac.umitproject.org/browser/branch/umpa-link-layer

UMPA extra improvements

There are several features which would be nice to implement in UMPA[0].

• new protocols implementations (e.g. ICMP and other supported by PacketManipulator[1])
• finish auto-generation for some fields in already implemented protocols as IP, TCP
• rewrite XML extension to support SOAP instead of DOM
• IPv6 support
• close tickets related to UMPA[2]
• own suggestions!

References

• [0] http://umpa.umitproject.org
• [1] http://trac.umitproject.com/wiki/PacketManipulator
• [2] http://trac.umitproject.org/query?status=assigned&status=new&status=reopened&group=milestone&component=UMPA&order=priority&col=id&col=summary&col=status&col=type&col=priority&col=milestone

PacketManipulator - Improvements

• Create filtering mode (a better filter metadata-based and keywords) - filtering by MAC(dst, orig), IP, Port, protocol etc, with expression system supporting ranges in all fields, similar Wireshark.
• Improve drag-drop Packets: create an automatic-way to fill all stack automatically (but it should optional) - manual mode should works as well.

• Actually there is features just working with scapy patched under deps/scapy-patches, but PacketManipulator should can run without any patches. Just if features are available it should use.
• Finish my branch to integrate UMPA ( I already started but it's not finished yet)
• Improve PlotStatus plugin and integrate it (Just a small plugin that made with statistics)
• Improve Message Sequence Flowchart ( Plugin by Kasina) and integrate it [2].
• Create more decoders - passive audits [1] (Like HTTP/SMB decoder developed last GSoC by Francesco), ie - IRC, Jabber, VoIP (SIP, RTP, etc), SMTP, IMAP, etc.
• Customize colors in sniffed packets
• Test it on all platforms and fix bugs (ie, Windows)
• Other independent-features proposed by your own

[1] - See Audit Framework documentation (PacketManipulator)
[2] - http://trac.umitproject.org/browser/branch/MSC

Network Scanner - Priority

• UmitDB-NG was created to support Network Inventory. But Network Scanner have another old database containing all XML. Actually we're using XML stored on database and other database with each field stored. The idea is merge both and create a good approach for this problem. In this process UmitDB-NG should be updated, creating a layer to support more than one backend: ZION, Nmap, etc.
• Improve scheduling in Network Invetory (Cronjob syntax is not easier for casual user)
• Fix bugs founds on Trac (Integration, etc) - See open tickets of Umit in [1]
• Merge Preferences Window
• Merge NSE Facilitator

[1] http://trac.umitproject.org/report/1

PacketManipulator, a distributed approach using Audit Framework

Nowadays home-networks, enterprise and others is growing fast using high level equipment's: switching, routers and other moderns approach in operators world. For academic and industrial world the sniffing mode is used all the time. Unfortunately it's not easier to access to all the traffic in the networks because equipment don't flood traffic like old routers, but it could be done communication between machines in Local Area Network (LAN) - see figure.

A first approach is sending sniffed traffic (in each node) through the network to a centralized server. Unfortunately it produces other traffic to transfer so this extra traffic should be removed in final result. Another task that should be done is synchronize the clock using NTP protocol [1].

1. The first step of project is adding feature of PacketManipulator running in background ( no GUI allowed ) and loading audit extensions.
2. Developing an audit extension to exchange traffic between nodes in the network ( it just send the traffic to the monitor sniffer - centralized architecture)
3. Write a wrapper to receive traffic from other nodes
4. Connect with wrapper and showing the packets in Sniffing Prespective.
5. See all traffic in Local Area Network (LAN) - synchronize time.

[1] - http://www.ntp.org

Remote Network Monitoring

With rising of computers and networks our network have too many devices to be management. With the mobility, people works most part of the time remotely but they still have to management the network. The goal of this proposal is help users to management better their network and consisting in 3 software modules to implement.

Agent: It can be a sniffer to monitoring events configured by user remotely (Example when HTTP arrive, when too many traffic is going around in the network etc) - It can use UMPA library.
Broker: It receive SMTP messages and agent events (using ad-hoc protocol). It store all events in database. It will be available to access all stuff by the webservices. It is a kind of gateway between monitoring and agents.
Plugin to Network Scanner - Remote Monitor (Viewer): view all events and details (alerts etc) - it can use Network Inventory to list alerts, traffic etc. It will be able to configure the Agents and send SMTP messages,

Usecase to help understanding idea, see figure.

NOTE: Instead the Plugin to Network Scanner it could be an extension to UmitWeb.

Small ideias for GSoC/USoC (could be merged on a proposal)

Other cool ideas for Network Scanner/PacketManipulator extensions or plugins:

• Send TCP Syn/Ack - estimating round-trip and put it graphically (see Nmap Network Scanning, page 131)
• Probe Rate graphics (see Nmap Network Scanning, page 133)
• Module to estimate time during the scan (it seems kind of impossible, do you think so? Not for ZION I guess)
• Extend Plugins System to Network Inventory and Topology
• Create a node list based on topology and then make another scanner (just a small feature)
• .....